Facebook must change and policymakers must act on data, warns UK watchdog

The UK’s data watchdog has warned that Facebook must overhaul its privacy-hostile business model or risk burning user trust for good.

Comments she made today have also raised questions over the legality of so-called lookalike audiences to target political ads at users of its platform.

Information commissioner Elizabeth Denham was giving evidence to the Digital, Culture, Media and Sport committee in the UK parliament this morning. She’s just published her latest report to parliament, on the ICO’s (still ongoing) investigation into the murky world of data use and misuse in political campaigns.

Since May 2017 the watchdog has been pulling on myriad threads attached to the Cambridge Analytica Facebook data misuse scandal — to, in the regulator’s words, “follow the data” across an entire ecosystem of players; from social media firms to data brokers to political parties, and indeed beyond to other still unknown actors with an interest in also getting their hands on people’s data.

Denham readily admitted to the committee today that the sprawling piece of work had opened a major can of worms.

“I think we were astounded by the amount of data that’s held by all of these agencies — not just social media companies but data companies like Cambridge Analytica; political parties the extent of their data; the practices of data brokers,” she said.

“We also looked at universities, and the data practices in the Psychometric Centre, for example, at Cambridge University — and again I think universities have more to do to control data between academic researchers and the same individuals that are then running commercial companies.

“There’s a lot of switching of hats across this whole ecosystem — that I think there needs to be clarity on who’s the data controller and limits on how data can be shared. And that’s a theme that runs through our whole report.”

“The major concern that I have in this investigation is the very disturbing disregard that many of these organizations across the entire ecosystem have for personal privacy of UK citizens and voters. So if you look across the whole system that’s really what this report is all about — and we have to improve these practices for the future,” she added. “We really need to tighten up controls across the entire ecosystem because it matters to our democratic processes.”

Asked whether she would personally trust her data to Facebook, Denham told the committee: “Facebook has a long way to go to change practices to the point where people have deep trust in the platform. So I understand social media sites and platforms and the way we live our lives online now is here to stay but Facebook needs to change, significantly change their business model and their practices to maintain trust.”

“I understand that platforms will continue to play a really important role in people’s lives but they need to take much greater responsibility,” she added when pressed to confirm that she wouldn’t trust Facebook.

A code of practice for lookalike audiences

Inferred data refers to inferences made about individuals based on data-mining their wider online activity — such as identifying a person’s (non-stated) political views by examining which Facebook Pages they’ve liked. Facebook offers advertisers an interests-based tool to do this — by creating so-called lookalike audiences comprises of users with similar interests.

But if the information commissioner’s view of data protection law is correct, it implies that use of such tools to infer political views of individuals could be in breach of European privacy law. Unless explicit consent is gained beforehand for people’s personal data to be used for that purpose.

“What’s happened here is the model that’s familiar to people in the commercial sector — or behavioural targeting — has been transferred, I think transformed, into the political arena,” said Denham. “And that’s why I called for an ethical pause so that we can get this right.

“I don’t think that we want to use the same model that sells us holidays and shoes and cars to engage with people and voters. I think that people expect more than that. This is a time for a pause, to look at codes, to look at the practices of social media companies, to take action where they’ve broken the law.”

She told MPs that the use of lookalike audience should be included in a Code of Practice which she has previously called for vis-a-vis political campaigns’ use of data tools.

Social media platforms should also disclose the use of lookalike audiences for targeting political ads at users, she said today — a data-point that Facebook has nonetheless omitted to include in its newly launched political ad disclosure system.

“The use of lookalike audiences should be made transparent to the individuals,” she argued. “They need to know that a political party or an MP is making use of lookalike audiences, so I think the lack of transparency is problematic.”

Asked whether the use of Facebook lookalike audiences to target political ads at people who have chosen not to publicly disclose their political views is legal under current EU data protection laws, she declined to make an instant assessment — but told the committee: “We have to look at it in detail under the GDPR but I’m suggesting the public is uncomfortable with lookalike audiences and it needs to be transparent.”

We’ve reached out to Facebook for comment.

Links to known cyber security breaches

The ICO’s latest report to parliament and today’s evidence session also lit up a few new nuggets of intel on the Cambridge Analytica saga, including the fact that some of the misused Facebook data — which had found its way to Cambridge University’s Psychometric Centre — was not only accessed by IP addresses that resolve to Russia but some IP addresses have been linked to other known cyber security breaches.

“That’s what we understand,” Denham’s deputy, James Dipple-Johnstone told the committee. “We don’t know who is behind those IP addresses but what we understand is that some of those appear on lists of concern to cyber security professionals by virtue of other types of cyber incidents.”

“We’re still examining exactly what data that was, how secure it was and how anonymized,” he added saying “it’s part of an active line of enquiry”.

The ICO has also passed the information on “to the relevant authorities”, he added.

The regulator also revealed that it now knows exactly who at Facebook was aware of the Cambridge Analytica breach at the earliest instance — saying it has internal emails related to it issue which have “quite a large distribution list”. Although it’s still not been made public whether or not Mark Zuckerberg name is on that list.

When pressed if Zuckerberg was on the distribution list for the breach emails, Denham declined to confirm so today, saying “we just don’t want to get it wrong”.

The ICO said it would pass the list to the committee in due course.

Which means it shouldn’t be too long before we know exactly who at Facebook was responsible for not disclosing the Cambridge Analytica breach to relevant regulators (and indeed parliamentarians) sooner.

The committee is pressing in this because Facebook gave earlier evidence to its online disinformation enquiry yet omitted to mention the Cambridge Analytica breach entirely. (Hence its accusation that senior management at Facebook deliberately withheld pertinent information.)

Denham agreed it would have been best practice for Facebook to notify relevant regulators at the time it became aware of the data misuse — even without the GDPR’s new legal requirement being in force then.

She also agreed with the committee that it would be a good idea for Zuckerberg to personally testify to the UK parliament.

Though Facebook has yet to confirm whether or not Zuckerberg will make himself available this time.

How to regulate Internet harms?

This summer the ICO announced it would be issuing Facebook with the maximum penalty possible under the country’s old data protection regime for the Cambridge Analytica data breach.

At the same time Denham also called for an ethical pause on the use of social media microtargeting of political ads, saying there was an urgent need for “greater and genuine transparency” about the use of such technologies and techniques to ensure “people have control over their own data and that the law is upheld”.

She reiterated that call for an ethical pause today.

She also said the fine the ICO handed Facebook last month for the Cambridge Analytica breach would have been “significantly larger” under the rebooted privacy regime ushered in by the pan-EU GDPR framework this May — adding that it would be interesting to see how Facebook responds to the fine (i.e. whether it pays up or tries to appeal).

“We have evidence… that Cambridge Analytica may have partially deleted some of the data but even as recently as 2018, Spring, some of the data was still there at Cambridge Analytica,” she told the committee. “So the follow up was less than robust. And that’s one of the reasons that we fined Facebook £500,000.”

Data deletion assurances that Facebook had sought from various entities after the data misuse scandal blew up don’t appear to be worth the paper they’re written on — with the ICO also noting that some of these confirmations had not even been signed.

Dipple-Johnstone also said it believes that a number of additional individuals and academic institutions received “parts” of the Cambridge Analytica Facebook data-set — i.e. additional to the multiple known entities in the saga so far (such as GSR’s Aleksandr Kogan, and CA whistleblower Chris Wylie).

“We’re examining exactly what data has gone where,” he said, saying it’s looking into “about half a dozen” entities — but declining to name names while its enquiry remains ongoing.

Asked for her views on how social media should be regulated by policymakers to rein in data abuses and misuses, Denham suggested a system-based approach that looks at effectiveness and outcomes — saying it boils down to accountability.

“What is needed for tech companies — they’re already subject to data protection law but when it comes to the broader set of Internet harms that your committee is speaking about — misinformation, disinformation, harm to children in their development, all of these kinds of harms — I think what’s needed is an accountability approach where parliament sets the objectives and the outcomes that are needed for the tech companies to follow; that a Code of Practice is developed by a regulator; backstopped by a regulator,” she suggested.

“What I think’s really important is the regulators looking at the effectiveness of systems like takedown processes; recognizing bots and fake accounts and disinformation — rather than the regulator taking individual complaints. So I think it needs to be a system approach.”

“I think the time for self regulation is over. I think that ship has sailed,” she also told the committee.

On the regulatory powers front, Denham was generally upbeat about the potential of the new GDPR framework to curb bad data practices — pointing out that not only does it allow for supersized fines but companies can be ordered to stop processing data, which she suggested is an even more potent tool to control rogue data-miners.

She also said suggested another new power — to go in and inspect companies and conduct data audits — will help it get results.

But she said the ICO may need to ask parliament for another tool to be able to carry out effective data investigations. “One of the areas that we may be coming back to talk to parliament, to talk to government about is the ability to compel individuals to be interviewed,” she said, adding: “We have been frustrated by that aspect of our investigation.”

Both the former CEO of Cambridge Analytica, Alexander Nix, and Kogan, the academic who built the quiz app used to extract Facebook user data so it could be processed for political ad targeting purposes, had refused to appear for an interview with it under caution, she said today.

On the wider challenge of regulating a full range of “Internet harms” — spanning the spread of misinformation, disinformation and also offensive user-generated content — Denham suggested a hybrid regulatory model might ultimately be needed to tackle this, suggesting the ICO and communications regular Ofcom might work together.

“It’s a very complex area. No country has tackled this yet,” she conceded, noting the controversy around Germany’s social media take down law, and adding: “It’s very challenging for policymakers… Balancing privacy rights with freedom of speech, freedom of expression. These are really difficult areas.”

Asked what her full ‘can of worms’ investigation has highlighted for her, Denham summed it up as: “A disturbing amount of disrespect for personal data of voters and prospective voters.”

“The main purpose of this [investigation] is to pull back the curtain and show the public what’s happening with their personal data,” she added. “The politicians, the policymakers need to think about this too — stronger rules and stronger laws.”

One committee member suggestively floated the idea of social media platforms being required to have an ICO officer inside their organizations — to grease their compliance with the law.

Smiling, Denham responded that it would probably make for an uncomfortable prospect on both sides.

SpyCom - PROSpyCom PRO is an upgrade to SpyCom with tons new features, commercial license and other licenses.
SpyCom is the worlds most powerful cloud based AliExpress market research, keyword research and niche research app that also lets you create FB Ad Images in

Mobiflux Pro One TimeMobiflux is the first ever Wordpress plugin that lets you capture and multiply your mobile traffic. It’s twin action system gives you the ultimate in traffic and lead generation no matter what you are marketing online.
With Mobiflux PRO you can implement

CAB - Tube Engage Pro + NicheXploitTube Engage Pro is a powerful desktop software that will help you get more viewers and engagement on your YouTube channel by letting you identify and engage people who are commenting on other channels in your niche.
NicheXploit is a revolutionary softwar

Stealth Commission KitTop Secret Method Ranks You on the 1st page of Google quickly, For Keywords That Actually Make money.

LiveCaster Pro YearlyLive Caster PRO solves the real world problem of grabbing traffic and you already know that. But what you don’t know is that you can generate cash from it also.
Want to know how, by becoming a Whitelabel Reseller. We will provide you with all the marketi

exPersona ProexPersona is a revolutionary plugin that will display content on your site depending on who the visitor is or where they come from

SMSBOT RESELLER UltimateGet UNLIMITED Reseller Rights To Take SMSBot And SELL UNLIMITED Copies Of It, Keep 100% Of Profits And Build A RECURRING INCOME Online!

MaticPress (10 Sites)Are you struggling to create high-quality and rich-content website? With this brand new WP theme, now you can build rich-content website without creating any single of content... Build viral niche sites, drive free traffic, build list, and make money on c

Upgrade To WP Blazer SuiteOnly available for current members of WP Blazer, to unlock the new added features. Wordpress Management Suite - Control all of your Wordpress Blogs In One Simple To Use Dashboard - With Added Automation Features

7 Shares In The MTC CoopStart Getting Easy Traffic To Your Online Offers On 100% Autopilot In As Little As 3 Minutes, Guaranteed!

(Yearly) ConverzlyWe know that EVERY BUSINESS needs a website… so yes this is a page builder, but it’s far superior than any other out there..
What if you could fill out a form or a questionnaire about you,, your business, your customers and the type of result you wanted.

Leads2List Elite YearlyLeads2list captures leads from Facebook as per the niche you have set in. These leads are sought in a perfectly legit manner and rest assured the process is 100% GDPR complaint.
Once the leads have been harvested Leads2list then feeds them straight into

Video Course - Cash Kit PROFinally! A GUARANTEED Way To Make Money Online, that Anyone Can Do! Literally ANYONE can do this... the only way to fail is not to try!! So let's go to Make Some Money Today!!!

xMails OTO6 : SellinMessenger Reseller Basic (250 Licenses)Make $5000 to $10,000 this week with ShotMessenger with Official Reseller rights
Allowing you to make unlimited xMails Accounts for your Clients,
and charge them monthly, yearly just like aweber, getresponse, mailchimp
or a one-time high fee for the mo

Moto Theme DFY Premium ServiceHere's Your Ultimate Turn-Key Solution, Ready To Set Up Your WordPress Sites, And Relieve You From All Your Workload And Team Management Headaches!

ATL - GOLD Upgrade - LITE DSThe Affiliate Traffic Lab is a 100% cloud based software that creates traffic getting videos that you can rank on Google and Youtube in minutes to get you free traffic, leads and sales.

SociBot AGENCY 'LITE'SociBot is an all in one Facebook traffic and commission getting software that will help you to grow your business on autopilot, even whilst your asleep!

Video OverloadAutomate Your Video Blogging Content With Perfectly Monetized Videos Done For You... Automatically Transform Every SINGLE Video Viewer Into Unstoppable Traffic, Leads, and Sales To ANY Offer You Choose...Turning Even The Most Suckiest, Unpopular Video Onlin

ATL - PLATINUM Upgrade - LITE DSThe Affiliate Traffic Lab is a 100% cloud based software that creates traffic getting videos that you can rank on Google and Youtube in minutes to get you free traffic, leads and sales.

Sociible Agency Unlimited (mtly)Sociible Allows You To Create FULLY-AUTOMATED Social Marketing Campaigns in MINUTES by Leveraging OTHER People's AUTHORITY Content
For UNLIMITED, Hands-Free Traffic, Leads and PROFIT – in ANY Niche!

Leads Profiter Pro MonthlyLeads Profiter Is The First Ever Software
On Jvzoo for Quickly Building A
List and Raking Profit Online On Complete AutoPilot
Without Investing In Any Other Tool

Playtraffic ResellerYou can resell Playtraffic as a Promoter or as an Owner yourself. We have two powerful options for you. Choose between Whitelabel or Reseller.
When you sign up as a reseller for Playtraffic we give you everything you need to sell it. Use our sales page a

Stupidly Simple WebinarsSTOP paying for expensive webinar solutions.
With Stupidly Simple Webinars YOU can finally run FREE webinars within Facebook.
Create Profit-Pulling Webinars utilising the POWER of Facebook LIVE, free software and Facebook's own built in tools.
Step-b

SpeakEz Agency and Reseller (250 Licenses)Engage more users by adding voice to your web pages. Allow visitors to seamlessly transition from reading your content, into enjoying a captivating narrated audio version they can have read to them at their leisure.